Tamas Kiss
ad5f8a40fb
All checks were successful
continuous-integration/drone/push Build is passing
- Upgrading to Terraform from 1.1.8 to 1.3.5 - Upgrading to Kubernetes from 1.23.5 to 1.25.4 - Using Q35 machine for workers - Using UEFI for boot - Refactored XSLT
97 lines
2.4 KiB
HCL
97 lines
2.4 KiB
HCL
resource "random_password" "bootstrap_token_id" {
|
|
special = false
|
|
upper = false
|
|
length = 6
|
|
lifecycle {
|
|
replace_triggered_by = [time_rotating.bootstrap_expiry_base]
|
|
}
|
|
}
|
|
|
|
resource "random_password" "bootstrap_token_secret" {
|
|
special = false
|
|
upper = false
|
|
length = 16
|
|
lifecycle {
|
|
replace_triggered_by = [time_rotating.bootstrap_expiry_base]
|
|
}
|
|
}
|
|
|
|
resource "time_rotating" "bootstrap_expiry_base" {
|
|
rotation_days = 60
|
|
}
|
|
|
|
resource "kubernetes_secret" "bootstrap_token" {
|
|
metadata {
|
|
name = "bootstrap-token-${random_password.bootstrap_token_id.result}"
|
|
namespace = "kube-system"
|
|
}
|
|
|
|
type = "bootstrap.kubernetes.io/token"
|
|
|
|
data = {
|
|
"token-id" = random_password.bootstrap_token_id.result
|
|
"token-secret" = random_password.bootstrap_token_secret.result
|
|
|
|
"usage-bootstrap-authentication" = "true"
|
|
"usage-bootstrap-signing" = "true"
|
|
|
|
"auth-extra-groups" = "system:bootstrappers:worker,system:bootstrappers:ingress"
|
|
|
|
"expiration" = timeadd(time_rotating.bootstrap_expiry_base.id, "${90 * 24}h")
|
|
}
|
|
|
|
lifecycle {
|
|
replace_triggered_by = [time_rotating.bootstrap_expiry_base]
|
|
}
|
|
|
|
}
|
|
|
|
resource "kubernetes_cluster_role_binding" "auto_approve_node_csrs" {
|
|
metadata {
|
|
name = "auto-approve-csrs-for-nodes"
|
|
}
|
|
subject {
|
|
kind = "Group"
|
|
name = "system:bootstrappers"
|
|
api_group = "rbac.authorization.k8s.io"
|
|
}
|
|
role_ref {
|
|
kind = "ClusterRole"
|
|
name = "system:certificates.k8s.io:certificatesigningrequests:nodeclient"
|
|
api_group = "rbac.authorization.k8s.io"
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_cluster_role_binding" "auto_approve_node_renewals" {
|
|
metadata {
|
|
name = "auto-approve-renewals-for-nodes"
|
|
}
|
|
subject {
|
|
kind = "Group"
|
|
name = "system:nodes"
|
|
api_group = "rbac.authorization.k8s.io"
|
|
}
|
|
role_ref {
|
|
kind = "ClusterRole"
|
|
name = "system:certificates.k8s.io:certificatesigningrequests:selfnodeclient"
|
|
api_group = "rbac.authorization.k8s.io"
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_cluster_role_binding" "nodes_create_csrs" {
|
|
metadata {
|
|
name = "create-csrs-for-node-bootstrappers"
|
|
}
|
|
subject {
|
|
kind = "Group"
|
|
name = "system:bootstrappers"
|
|
api_group = "rbac.authorization.k8s.io"
|
|
}
|
|
|
|
role_ref {
|
|
kind = "ClusterRole"
|
|
name = "system:node-bootstrapper"
|
|
api_group = "rbac.authorization.k8s.io"
|
|
}
|
|
}
|